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Typographic Conventions 


This document uses these typographic conventions. 


e The names of windows, views, tabs, dialog boxes, panes, panels, buttons, fields, options, 
checkboxes, and the like are in Initial Caps, or otherwise capitalized according to their labels. 

e Keystrokes are shown in all capital letters, such as TAB, CTRL, OPT, CMD, SPACEBAR. 
Keys pressed at the same time are joined with +, such as CTRL+S, OPT+T. 

e The names of elements that you are directed to interact with by clicking, selecting, or typing 
are shown in bold. 

e Immediately contiguous menu actions such as clicking a toolbar button or menu, then 
immediately clicking another item in a resulting submenu, are separated with the > symbol, 
such as 


Edit > Copy 
Preferences > Data Collection 


e File names, folder names, file paths, disk names, drive names, volume names, partition names, 
and the like are shown in italic. File extensions such as .pdf, .docx., .jpg, and so forth are not 
shown in italic. 

e Variables are enclosed with <angle brackets>, such as <PLATFORM> VOLUMES, where 
<PLATFORM> is either MACOS or WINDOWS. 

e Anything you are directed to type exactly, such as file names, commands, 
or code, are shown in a console font. 


If you find any typos, inaccuracies, or other problems in this documentation, please send an 
email to support(dcellebrite.com. Please include the title of the document, the version of the 
document, and the title of the topic in your message. 
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Document Revisions 


This topic identifies information that is new, removed, or changed within this document since the 
previous version. 


e This entire guide was revised to focus on audience and tasks, and to integrate information 
about mobile collections. 
e What's New in Version 1.3 is a new topic. 


Version 1.3 What’s New in Version 1.3 


What’s New in Version 1.3 


These features are new in this version of Endpoint Inspector. Information in this chapter 
Supersedes the remainder of this document. 


The Endpoint Inspector web interface is supported on these web browsers: 


e Chrome 
e Edge 

e Firefox 
e Safari 


These features are new in this version of the Endpoint Inspector web interface: 


e Collect Data from Android Mobile Devices 

e Support for Amazon S3 Buckets 

e Support for Multiple Storage Destinations 

e Schedule Collections from Remote Computers, 

e Collect Volatile Artifacts from Remote Computers 

e Link to Web Page Announcing New or Changed Features 


e New Settings 


Collect Data from Android Mobile Devices 


On the Mobile Collections page in the Endpoint Inspector web interface, examiners can now 
create and manage collections for Android mobile devices. The same mobile agent supports 
collecting from both 10S and Android. 


Home > Mobile Collections > Create Job 
Custodian Information 
Custodian name * Custodian email * 
first & last name email 
Collection Parameters 
Send collected data to * Collection output password 
select a destination v (optional) 


Notes 


(optional) 


Data to collect (select platform) * 


O ios @ Android 


@ Select Data Types 


Select the specific data type you would like to include in the collection. This will 
NOT include third party applications data. 


SELECT 
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When you create a mobile collection job, you can select Android as the platform and then select 
data types to collect. On the Select dialog box, you can select all data or you can mark any or all 
of these other checkboxes: 


e Select All e Call Logs e Pictures 
e Archives e Contacts e SMS 

e Audio e Documents e Videos 
e Calendar e MMS 


ap plic ations or cl 


The examiner sends the activation token and URL for downloading the mobile agent to the 
person with custody of the Android device. 


The custodian downloads and installs the mobile agent onto their computer. The computer must 
be restarted to complete the installation. After the computer is restarted, the custodian finds the 
installed CellebriteMobileAgent on their desktop and runs it. The Welcome to Endpoint Inspector 
page opens in the custodian’s default web browser. 


Welcome to Endpoint Inspector 


Enter the activation code you received to start the collection process 


Enter the activation code * 


Just as with collections from iOS devices, the custodian then enters the activation token provided 
to them by the examiner. Instructions on the Endpoint Inspector web interface guide the 
custodian in the process of preparing and connecting their Android device and alerts that an 
agent will also be automatically installed on the Android device. This device agent is required to 
collect the data. 


The data collection is transferred to the custodian’s computer, where the agent creates a .zip file 
and then sends it to the specified storage repository. The .zip file may be password protected if 
the examiner defined the mobile collection job to require a collection output password. The 
device agent removes itself after the collection process is complete. If the device agent fails to 
remove itself, instructions within it show the custodian how to manually remove it. 
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Support for Amazon S3 Buckets 


There are now three destination types for both computer and remote mobile collection jobs. In 
addition to Network Share and SFTP paths, you can set up an Amazon S3 bucket as a 
destination. This includes GovCloud. 


You must use web pages provided by Amazon to create the bucket. 


1. Use the AWS Management Console to specify the name and region where the bucket will be 
hosted. 

2. Use the IAM dashboard to create a role and policies for the bucket. 

3. Create a user and attach policies to the user. 


Support for Multiple Storage Destinations 


On the Settings page, you can now create and manage multiple storage repositories. These 
repositories can serve as destinations for both computer and remote mobile collection jobs. 


Create a Storage Repository 


1. Log in to the Endpoint Inspector web interface and then click Settings. 
2. Click ADD under Storage Repository. 
The Add new storage repository dialog box appears. 


Add new storage repository 


Name * 
repository name 


@ Network Share O SFTP O Amazon $3 


Network Address * 
DESKTOP-YZ0234 OR 172.16.1.23 


Share Name * 
Shared Folder 


Folder Name * 
Location For Saved Data 


Username * Password * 
username password 


3. In the Name field, type the name for this storage repository. 
4. Select the appropriate type of destination and then complete the remaining fields. 
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Manage Storage Repositories 


1. Log in to the Endpoint Inspector web interface and then click Settings. 
2. Under Storage Repository, you can see a list of all the storage repositories created in this 
Endpoint server. 


Storage Repository 


3. Choose the appropriate action. 


Edit a repository a. For the appropriate repository, click Actions and then 
click Edit Storage Repository. 

b. In the Update storage repository dialog box, change the 
appropriate information and then click Update. 


Delete a repository Mark the checkbox for the appropriate repository and then 
click Delete. 
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SFTP Public/Private Key Authentication for a Storage Repository 


For SFTP repositories, you can now Set up public or private key authentication. 


Add new storage repository x 


Name * 
repository name 


O Network Share © SFTP © Amazon $3 


Server Address * 
Server Address 


Server Port * 
22 


Path * 
Location For Saved Data 


Username * 


username 


Host Key 
Required for computer collections 


© Password © Public/Private Key Authentication 


Private Key * 


private key 


Passphrase 
(optional) 
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Set Up an Amazon S3 Storage Repository 


After you have created the Amazon S3 bucket, keep those web pages open so you can refer to 
them when you create the storage repository in the Endpoint Inspector web interface. 
1. Log in to the Endpoint Inspector web interface and then click Settings. 
2. Click ADD under Storage Repository. 
The Add new storage repository dialog box appears. 


Add new storage repository 


Name * 
repository name 


@ Network Share O SFTP O Amazon $3 


Network Address * 
DESKTOP-YZ0234 OR 172.16.1.23 


Share Name * 
Shared Folder 


Folder Name * 
Location For Saved Data 


Username * Password * 


username password 


3. Inthe Name field, type the name for this storage repository. 
4. Click Amazon $3. 


Add new storage repository 


Name * 
repository name 


© Network Share © SFTP @ Amazon $3 


Select a region s 


Bucket Name * 
Amazon Bucket Name 


Folder * 
Location For Saved Data 


Role * 
User Role 


Access Key ID * 
Bucket Access Key 


Secret Access Key * 
Bucket Secret Key 


5. Click Select a region and then select the region that matches the one you selected for the 
bucket you created in the AWS Management Console. 
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6. Type appropriate information in these fields. 


Field Description 


Bucket Name The name of the bucket just as it was defined in the AWS 
Management Console 


Folder The name of the folder within the bucket that will store 
collected data sets 


Role The name of the role that lets a user get and put objects for 
the bucket, as defined in the AWS Management Console 


Access Key ID The access key ID for the AWS user account 


Secret Access Key The secret access key ID for the AWS user account 
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Schedule Collections from Remote Computers, 


On the new Computer Collections page in the Endpoint Inspector web interface, examiners can 
create, monitor, and manage computer collection jobs. 


Computer Collections 


DELETE Search Q 
Oo Demo 2022-02-28 17:34:20 .. Pending SFTP 
EJ Demo 2 2022-03-01 14:09:31 Exceptions SFTP 
Oo Demo 3 2022-03-01 14:14:06 ... Exceptions SFTP 
cy Christian 2022-03-02 20:31:49 Exceptions SFTP 


The Status column shows Exceptions when a computer collection job fails. A job will fail if there 
is not enough available space on the remote computer to permit data collection or if the 
connection between the remote computer and the storage repository is lost. 


On the Create Job dialog box, you must provide a name for the computer collection job and then 
set filters for the data to be collected. You can also provide notes for the collection job. 


| 
| is > Create Job 


Collection Options Target Agents 


Collection name * @ Select by group O Select by agent Search Q 


name 


(m) Name Agents # Notes 
Notes 


optional) o Computer Agent1 1 


Date Range 
Collect All 


SELECT DATE RANGE 


Collect From Location 
Collect All 


SELECT LOCATIONS 


File Extensions 
Collect All 


SELECT EXTENSIONS 


Schedule 
Now > ‘ ý 


a filter is required to start collection | CREATE | CANCEL 
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Under Collection Options, these are the filters you can Set. 


Filter Description 


Date Range You can choose any of these options or set a custom date range: 
e Today e This Month 
e Yesterday e Last Month 
e Last 7 days e Last Year 
e Last 30 days 
Folders You can select all folders, select any of the pre-set folders, or specify 
custom folders. These are the pre-set folders: 
e Allusers - Folders e Event Logs 
e Allusers - Desktop items e iOS backups 
e Alluses - Documents e iCloud data 
e Allusers - Pictures e Unified Logs 
e Allusers - Downloaded items e Shell data 


To specify custom folders, you can type drive letters and file paths. Use an 
asterisk (*] as a wildcard. Use a comma to separate multiple locations. 


File Extensions You can select all, select any of the pre-set categories, or specify custom 
file extensions. Use a comma to Separate multiple custom file extensions. 
These are the pre-set categories: 


e Text Files e Database Files e System Files 
e Data Files e Executable Files e Settings Files 
e Audio Files e Game Files e Encoded Files 
e Video Files e CAD Files e Compressed Files 
e 3D Image Files e GIS Files e Disk Image Files 
e Image Files e Web Files e Developer Files 
e Vector Image Files e Plugin Files e Backup Files 
e Page Layout Files e Font Files e Misc Files 
e Spreadsheet Files 
Schedule You can set the collection job to run now, select a date and a time [any half 


hour between 00:00 and 23:30), or specify a custom date. These are the 
dates you can select: 


e = Today e In 1week 
e Tomorrow e In2weeks 
e |In5days 
Volatile You can choose whether to collect volatile artifacts. 
Collection For more information, see Collect Volatile Artifacts from Remote 
Computers. 


Note: You can only specify what to include in the collection; you cannot set exclusions. 


You must also select a destination where the data collection will be sent. 
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Under Target Agents, you can choose one or several agents to collect from, or you can choose 
one or several groups to collect from. 


You may edit collection jobs that are in a Pending status. 


Collect Volatile Artifacts from Remote Computers 


To improve support for incident response, you can now choose to collect artifacts from running 
remote Windows computers. 


When an examiner creates a collection job on the Computer Collections page, they can specify 
that volatile artifacts should be collected. A single toggle targets these categories of artifacts for 
Windows computers. 


Category Description 


Processes and modules | The names and file handles of all running processes and modules. 


Network data List of adapters and related statistics and tables. 


Information about network shares. 


Clipboard data Lists all the content of the computer's clipboard. 
Open files Lists all open files on the computer by process. 
Desktop Provides a screen capture of the computer desktop. 


Link to Web Page Announcing New or Changed Features 


If the Endpoint Inspector web interface was updated after you last logged in, a web page appears 
that provides information about new and changed features. 


If the Endpoint server does not have an internet connection, a QR code appears Instead. You can 
scan this QR code with your mobile phone or use it on a different computer to see this web page. 


You can open this web page any time by clicking the menu button in the upper right corner of the 
Endpoint Inspector web interface and then clicking About V<version number>. 
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What’s New in Version 1.3 


New Settings 


Under Administration at the bottom of the Settings page, you can now choose whether users In 
the Endpoint Inspector web interface are logged out after inactivity and set the number of 
minutes of inactivity up to 120. 


You can also specify whether the Web Theme is automatic, light, or dark. 


12 


Settings 


Mobile Remote Agent 


Version 1.2.0.294 
Last updated: 2022-03-01 14:23:10 (UTC) 


UPDATE AGENT 


@ Disable certificate validation 
Storage Repository 
Type Name Network Location Usermame Actions 


[m] SFTP SFTP 10.11.204.227 sftpuser/uploads sftpuser 


Client Configuration 


Administration 


O Log out after minutes of inactivity 


RESTART SERVER 
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Introduction 


Cellebrite Endpoint Inspector allows an organization to create logical data collections from 
remote computers and mobile devices without shipping any hardware. Examiners do need to use 
Cellebrite Inspector. 


The Endpoint server is installed on a single Windows computer. Servers for Endpoint Inspector 
are not aware of each other. Administrators must use a web browser to log in to the server to 
manage it as well as to manage agents and users. 


The Endpoint agent enables data to be collected from remote Windows and Mac computers. 
Collection over a VPN is supported. The installation packages for the Endpoint agent can be 
distributed, installed, and configured on the remote computers with standard management tools. 
An installation wizard is present for users of remote computers who must manually install the 
Endpoint agent. 


With the participation of the person in custody of a mobile device, data can be collected and sent 
to a physically distant location for storage and examination. The only components that must be in 
physical proximity are the mobile device and the custodian’s computer, which must be 
connected with an appropriate USB cable during collection. 


Examiners access Endpoint Inspector through Cellebrite Inspector running on their own 
computers. Examiners are logged in and granted their license for each session through the 
Endpoint server. 


Within Cellebrite Inspector, examiners can connect to the Endpoint agents assigned to them. 
CPU resources may be consumed from both the examiner's computer and the remote computer, 
and in rare cases from the Endpoint server as well. Once connected, examiners can collect and 
analyze data from the corresponding remote computers when they are online and connected to 
the network. Examiners can use these views for selecting data to collect. 


e Browser 
e File Filter 
e Thumbnails 


Examiners can also request a file from the endpoint computer to see file data in the Hex view, 
Strings view, and Preview tabs. 


Examiners save the selected files into a collection file with the Logical Evidence file format (L01). 
This format is widely supported by forensic and eDiscovery tools, and preserves file content, 
metadata, and folder structure. These L01 files are ingested into Cellebrite Inspector, where 
analysts can use robust analysis and reporting tools. 


Each license provides one server for Endpoint Inspector. One server can support up to 1000 
agents Installed on endpoints, up to ten concurrent connections to those endpoints, and up to 
three examiners. 


Remote Mobile Collection 


Each mobile license is term based and defines the quantity of mobile collection jobs your 
organization can consume. In this way, each license represents a pool of available mobile 
collection jobs. When a license term expires, you can no longer create mobile collection jobs. 
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When a mobile collection job is created, it is consumed and removed from the pool. A collection 
job cannot be created if all available jobs have been consumed from the pool. 


When a mobile collection job saves data, it is permanently consumed and removed from the 
pool. This is true even if the collected data is not successfully transmitted to the location 
designated by the examiner, either automatically or manually. 


Each mobile collection job can be run only once; however, if a collection job does not complete 
successfully, the custodian can restart It. 


You can delete a mobile collection job before the custodian starts the collection. Deleted 
collection jobs are returned to the pool. 


If a mobile collection job fails with no data saved to the custodian’s computer, it can be deleted 
and returned to the pool. 


File Format for Remote Mobile Collection 


Collected data is saved in UFED zip format. This format can be ingested and examined with 
Inspector 10.4.1 and later or with Physical Analyzer 7.47 and later. These UFED zip files can be 
password protected. 


Data Types Supported for Remote Mobile Collection 


These types of data may be collected from iOS devices, ingested, parsed, and examined by 
Endpoint Inspector or Physical Analyzer. 


Applications native to the iOS platform can collect these types of data. 


e Advertising ID e Contacts 
e Audio e IM 

e Browser Data e Pictures 

e Calendar e SMS/MMS 
e Call Logs e Videos 


Depending on the specific version in use, some data can be collected from these third-party 
applications. 


e WhatsApp 
e WeChat 
e Facebook messenger 


Deleted Data 


For supported applications, the full database may be recovered. Any deleted messages or 
threads that are found are presented. Deleted files such as images, documents, and full 
database files cannot be recovered. 
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Definition of Terms 


agent Software that collects data from a remote computer. 

case Data collections ingested into Inspector are examined within the context of a 
case. Acase may contain multiple data collections. 

computer These are created by the examiner in the Endpoint server web interface to 

collection specify what data to collect from a remote computer, and to schedule the date 

job and time when collection should start. A collection job also specifies the 
destination of the collection and the password required to access the collection 
during examination. 

custodian The person with custody and control of a mobile device. The custodian 


participates in collecting data from the mobile device. 


device agent 


Software that assists in collecting data from an Android mobile device. 


examiner The person who uses the Endpoint server web interface to create, monitor, and 
manage collection jobs. This person must be assigned the Analyst role. This 
person also examines the collected data using either Inspector or Physical 
Analyzer. 

mobile Software that collects data from a mobile device. 

agent 

mobile These are created by the examiner in the Endpoint server web interface to 

collection specify what data to collect and—by specifying the custodian—which mobile 

job device to collect it from. A collection job also specifies the destination of the 
collection and the password required to access the collection during 
examination. 

remote The process or result of collecting data from a remote computer and sending it 

collection to a physically distant location for storage and examination. 

remote The process or result of collecting data from a remote mobile device and 

mobile sending It to a physically distant location for storage and examination. 

collection 


This process requires the participation of the person with custody of the mobile 
device. The only components that must be in physical proximity are the mobile 
device and the custodian’s computer, which must be connected with an 
appropriate USB cable during collection. 


Version 1.3 


Introduction 


System Components and Requirements 


These are the system components and requirements required to run Endpoint Inspector, to 
create and transmit collections from remote computers and mobile devices, and to ingest, 


parse, and examine the collected data. 


Component and Definition | System Requirements 


Endpoint server 


Manages licenses and authentication. Used by 
examiners to create and monitor collection jobs. 


Endpoint agent 


Installed on the custodian’s computer. Receives 
the data collection from the mobile agent and 
sends It to the destination specified by the 
examiner. 


e Windows 10 1909 or newer 

e Windows Server 2019 or newer 
e 200 GB available disk space 

e Minimum 16GB RAM 

e Minimum 4 CPU 


e Windows 10 1909 or newer 
e macOS 10.14, 10.15, and 11.6 (Intel) 


Endpoint mobile agent 


Automatically downloaded and installed ona 
custodian’s computer for each collection. 
Collects data from the connected mobile device 
and sends it to the destination specified in the 
collection job. 


Note: Data can be collected only from iOS 
devices. 


Windows 10 1909 or newer 


Device agent 


Required only for collection from Android 
devices. Automatically downloaded and installed 
on the Android device for each collection. 
Automatically removed from the device when 
collection is complete. 


Android platform 


Endpoint Inspector 10.4.1 and later 


Used by examiners to ingest, parse, and analyze 
collected data within the context of a case. 


e Windows 10 1909 or newer 

e Inspector is supported on Mac OS X 
10.12.6 or newer, therefore Endpoint 
Inspector may work as well. For more 
information, see the "Hardware and 
Software Requirements“ topic in the 
Cellebrite Inspector User Guide. 


Physical Analyzer 7.47 and later 


Used by examiners to ingest, parse, and 
examine collected data. 


For information about Physical Analyzer, 
see the Cellebrite Physical Analyzer User 
Manual. 
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Default Server Ports 


Port | Port Numbers 


Web Configuration Port 443 


Authentication Port 20001 


Agent Communication Port | 20002 


Agent Direct Connect Port | 20003 


Getting Support 


You can log in to MyCellebrite portal at https://community.cellebrite.com, which provides access 
to resources and support. 


e Keep your products updated. 

e Contact Support or review the knowledgebase. 
e Download user manuals and data sheets. 

e Manage your product licenses. 

e Get expert assistance. 


You can also send an email to technical support at support(dcellebrite.com. 


These technical publications are available for download. 


e Cellebrite Endpoint Inspector 1.3 Release Notes 

e Cellebrite Endpoint Inspector 1.3 Communications and Security Guide 
e Cellebrite Inspector User Guide for Endpoint Inspector 1.3 

e Cellebrite Inspector 10.5 Quick Start Guide 

e Cellebrite Inspector 10.5 Portable Case Guide 


Known Issue 
This is a known issue related to remote mobile collection. 


When a computer has UFED installed on it and then the Endpoint Inspector mobile agent is 
installed and later uninstalled, drivers are also removed from that computer. The result is that 
UFED no longer works. To resolve this, you can uninstall and reinstall UFED. 


Version 1.3 Installation and Deployment 


Installation and Deployment 


The server for Endpoint Inspector must be installed on a Windows computer. This computer can be 
physical or virtual. For more information, see System Components and Requirements. 


After installation, you can activate the license and create the first administrator account. Then 
you can use the first administrator account to complete the remaining installation and 
deployment tasks. This may include creating additional administrator accounts. 


Refer to the Installation and Deployment Checklists to ensure the tasks are completed in the 
required order. These checklists provide links to topics to support you in completing these tasks. 


For various reasons, the required tasks may differ between a test deployment and a production 
deployment. 


Before you begin: You should understand the Security Certificate set of topics. 


Installation and Deployment Checklists 


You should use these checklists to ensure installation and deployment tasks are performed in 
the correct order to properly install components for Endpoint Inspector and to verify that data 

can be collected. Some tasks may be optional depending on whether you are deploying for test 
purpose or for production. 

Before you begin: You should review the checklists to be sure you understand the differences 
between test and production deployments. 


Endpoint Server and Agent 


Task | Supporting Topics 


Install the Endpoint server. Install and Configure the 
Endpoint Server 


In the Endpoint Inspector web interface, define ports and | Update Ports and Server 
the server address. Address 


Restart the Endpoint Server 


If it is necessary for testing, in the Endpoint Inspector Disable Certificate Validation 
web interface, disable security certificate validation. During Testing 
If it is necessary for production, replace the security Replace the Security 
certificate. Certificate 
In the Endpoint Inspector web interface, define settings Create and Export an Agent 
the agent and then save the agent configuration file. Configuration File 
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Task | Supporting Topics 


For testing, manually install the agents and the 
config.json file on the few computers that will be used to 
test remote computer collections. 


Get the agents and the config.json file from the Settings 
page in the Endpoint Inspector web interface. 


For production, install the agents and the config.json file 
on your organization’s remote Mac and Windows 


computers, 


Deploying the Endpoint 
Agent to Mac Computers 
with JAMF 

Deploying the Endpoint 
Agent to Windows 
Computers with Unattended 


Installation 


Manage Users 


In the Endpoint Inspector web interface, create groups 
for agents and assign users to groups. 


Manage Agents and Groups 


In the Endpoint Inspector web interface, verify that the 
agents Installed on the remote computers are listed, and 
then assign the agents to the appropriate group. 


On an examiner's computer with Inspector installed, 
verify that Inspector can connect to the Endpoint server, 
list agents assigned to the examiner, and start browsing 
the file system for a selected agent. 


Manage Agents and Groups 


See the Cellebrite Endpoint 
Inspector User Guide. 


Version 1.3 


Remote Mobile Collection 


Task Related Topics 
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In the Endpoint Inspector web interface, add the mobile 
license. 


Installation and Deployment 


Add a Mobile Collection 
License 


In the Endpoint Inspector web interface, update the mobile 
agent. 


Update the Mobile Agent 


In the Endpoint Inspector web interface, set the default 
destination for collections. 


Set the Default Destination 
for Mobile Data Collections 


In the Endpoint Inspector web interface, create a collection 
job. 


Send the activation token and the link to download the 
mobile agent to the intended custodian. 


Create a Mobile Collection 
Job 


On the custodian’s computer, download and Install the 
mobile agent, restart the computer, run the mobile agent, 


and then enter the activation token to begin collecting data. 


Create and Send a Mobile 
Collection 


In the Endpoint Inspector web interface, verify that the 
mobile agent's activity is visible. Also verify that the mobile 
collection file is saved to the appropriate location. 


Monitor, Find, and Select 
Mobile Collection Jobs 


On an examiner's computer with Inspector installed, verify 


that Inspector can ingest the mobile collection file. 


See the Cellebrite Endpoint 
Inspector User Guide. 
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Install and Configure the Endpoint Server 


or more information, 


NE SW/Swelrin) (Svoll 


1. On the appropriate computer, run the installer for the Endpoint server, then follow the 
prompts in the Setup wizard. 
2. Inaweb browser, go to https://localhost. 


3. On the security warning page for your web browser, proceed to the Endpoint server. 
The Endpoint Server Setup page appears. 


Endpoint Inspector 


© Endpoint Server Setup 
This instance of Endpoint Server is not licensed Enter a valid 
license key 


Cellebrite 


ENTERPRISE 


SOLUTIONS 


4. Paste the license key into the text box, and then click ACTIVATE. 

The Server Address field shows the IP address of the Endpoint server. 
5. Click CONTINUE. 
6. Select the appropriate connection method for the Postgres Database. 


e User Internal Database, and then click CONTINUE. 
e Use External Database, and then provide values for these fields. 


Address 

Port 

Database 

Username 

Password 

f. SSL Mode 

7. Under Administrator Account, type the username and password to create the primary 
administrator account for this server, and then click CONTINUE. 
The login page for Endpoint Inspector appears with credentials prefilled for the primary 
administrator account you just created. 

8. Click LOGIN. 


Panow 


The server for Endpoint Inspector is installed, licensed, and you are logged in to the server as 
the first administrator. Now you can set up Endpoint Inspector and deploy agents. For more 
information, see these topics: 


e Security Certificate 
e Managing Settings 
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Security Certificate 


When you deploy Endpoint Inspector for testing purposes, you may not need to test validation for 
the mobile agent network authentication security certificate. For this reason, you can choose to 
bypass security certificate validation for mobile agent network authentication. For more 
information, see Disable Certificate Validation. 


Production Considerations 


When you deploy Endpoint Inspector for production purposes, decide which of these options best 
suits your organization. 


If your organization issues its own certificates [either private PKI or through a private 
certificate authority), you should install your own certificate for mobile agent network 
authentication on the Endpoint server. For more information, see Replace the Security 


Certificate. You should also ensure that certificate validation is not disabled. For more 


information, see Disable Certificate Validation. 

If your organization does not issue its own certificates, you should partner with a commercial 
trusted certificate authority (such as Digicert, Entrust Datacard, Globalsign, GoDaddy, 
Sectigo, and so forth] and be provisioned accordingly. For more information, see Replace the 
Security Certificate. You should also ensure that certificate validation is not disabled. For 


more information, see Disable Certificate Validation. 


If your organization does not mandate the full security stack of benefits derived from using a 
private PKI or commercial certificate authority, you may continue to use the default self- 
signed certificate. 
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Disable Certificate Validation During Testing 


You may choose to disable validation for the mobile agent network authentication security 


certificate. This may be appropriate when you are testing Endpoint Inspector remote mobile 


collection but do not need to test certificate validation. For more information, see Security 


Certificate. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 


2. Click Settings. 
3. Scroll down to the Mobile Agent Settings section. 


) Endpoint Inspector 


Version: 1.2.0.200 


UPDATE AGENT 


Mobile Agent Settings 


© Shared Folder 


UNC Collection Path 


Settings Cue 


Last updated: 2021-11-04 18:06:00 (UTC) 


O SFTP 


Server Address 
server address 


O Disable certificate validation 


| CANCEL 


4. Mark the checkbox labeled Disable certificate validation. 


After your testing is complete, if your organization will continue to use this Endpoint server for 


Server Port 
22 


Path 
I 


Username 
Username 


production, you should install a certificate provided by a commercial trusted certificate authority 


or your own private PKI certificate and ensure that this checkbox is cleared to enable mobile 
agent certificate validation. For more information, see Production Considerations and Replace 


the Security Certificate. 
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Replace the Security Certificate 


You must place these files for the new mobile agent network security certificate in a specific 
folder on the Endpoint server. 


e cert 
e key 


It's a good idea to back up the existing certificate files in case you need them later. 


1. On the computer that is the Endpoint server, open a File Explorer window and navigate to this 
folder. 
%PROGRAMFILES%\Cellebrite\Endpoint\Server\serverdata\certificates 


Local Disk (C:) > Program Files > Cellebrite > Endpoint > Server > serverdata > certificates v 8 
las Name Date modified Type Size 
cert 9/28/2021 8:10 AM File 2 KB 
] key 9/28/2021 8:10 AM File 4 KB 


2. For backup purposes, rename the existing cert and key files and move them to an 
appropriate backup location. 


3. Copy the cert and key files for the new certificate into the folder described in Step 1. 

4. Restart the server. 

5. Log into the Endpoint Inspector web interface and on the Settings page, unmark the 
checkbox labeled Disable certificate validation. 
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Deploying Endpoint Agents 
This section addresses whole-enterprise deployment for production purposes. This is not 


necessary for testing purposes within your environment. 


Endpoint agents must be installed on the remote Windows or Mac computers before data can be 
collected from them with Endpoint Inspector. 


There are separate installation packages for the Endpoint agents on the Windows and Mac 
platforms. 


The installation packages for the Endpoint agent can be distributed, installed, and configured on 
remote computers with standard management tools. You must create and distribute the agent 
configuration file along with the installation file. There is an installation wizard for users of 
remote computers who must manually install the Endpoint agent. 


An Endpoint is defined when its agent first connects successfully to the Endpoint server. 


Deploying the Endpoint Agent to Mac Computers with JAMF 
This task assumes familiarity with JAMF. For more information, see https://www.jamf.com/. 


First, you must configure the Privacy Preferences Policy Control for full disk access. Then you can 
create a policy to deploy and install the Endpoint agent. 


Configure Privacy Preferences Policy Control 


You can use JAMF to create a new configuration profile to grant full disk access to the Endpoint 


agent. 


Endpoint Agent Ful Disk Access PPPC 
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1. In JAMF, create a new configuration profile and add these entries to the Privacy Preferences 
Policy Control setting. 


Field Value 


Identifier /Library/Application Support/Cellebrite/Endpoint/Agent/bin/ 
Cellebrite_Endpoint_Agent 

Identifier Path 

Type 

Code identifier "Cellebrite_Endpoint_Agent" and anchor apple generic 

Requirement and certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists*/ and 
certificate leaf[subject.OU] = "8A6E4V5B9Q”" 


2. Enable the appropriate disk and folder access levels for the Endpoint agent. 


App or Service | Access 


SystemPolicyDocumentsFolder | Allow 


SystemPolicyDesktopFolder Allow 


SystemPolicyAllFiles Allow 


SystemPolicyDownloadsFolder Allow 


SystemPolicySysAdminFiles Allow 
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Create a Policy to Deploy and Install the Endpoint Agent 


You can use JAMF to create a policy to deploy and install the Endpoint agent. The configuration 
profile must be deployed before the installer package. 


T config json - Notepad _ o x 


File Edit Format View Help 
{"AuthServicePort":<Port#>, "RemoteServerHostname":"192.0.2.22", 


"SharedSecret":"<server shared secret>|'} 


Ln 1, Col 102 100% = Windows (CRLF) UTF-8 


1. In JAMF, under Computer Management settings, upload the Endpoint Agent Config installer 
package to your distribution repository. 

2. Create a JAMF script to create the necessary folder, to create the config.json file within that 
folder, and to populate that file as required. 
Example: 


sudo mkdir /Library/Application\ Support/Cellebrite/Endpoint 

sudo mkdir /Library/Application\ Support/Cellebrite/Endpoint/Agent 

sudo mkdir /Library/Application\ Support/Cellebrite/Endpoint/Agent/bin 

sudo mkdir /Library/Application\ Support/Cellebrite/Endpoint/Agent/bin/agentdata 

sudo touch /Library/Application\ Support/Cellebrite/Endpoint/Agent/bin/agentdata/config. json 

sudo cat << EOF > /Library/Application\ Support/Cellebrite/Endpoint/Agent/bin/agentdata/config. json 
{"RemoteServerHostname":"<server IP address or hostname>", "AuthServicePort": <Authentication Port>, 
"SharedSecret":"<server shared secret>"} 

EOF 
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3. Create a policy to deploy the installer package and the config.json file to the appropriate Mac 
computers, with the script configured to run before the package install. 
a. On the General page, provide a Display Name such as Endpoint Agent deployment 
b. Mark the Enabled checkbox. 


Computers 


+ New Policy 


3] General General 


4. On the Packages page, make these entries. 
a. Set the Distribution Point to Each computer's default distribution point. 
b. Add the installer package for the Endpoint agent. 
c. Set the Action field to Install. 

5. On the Scripts page, set the Priority for the Endpoint agent script to Before. 


Now you can deploy the configuration profile and installer package to each target Mac computer. 


+ New Policy 


EndAgentCtg_macO564_20210304.214333-Sa7¢ 


= 
- 
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Deploying the Endpoint Agent to Windows Computers with Unattended 
Installation 


These examples use PowerShell and the command line to deploy the Endpoint agent to Windows 
computers with unattended installation. All required fields are available in the config.json file 
saved from the Endpoint server. 


MSI Installer accepts standard arguments and then expects Wrapped Arguments for the 
wrapped installer. 


The Endpoint Agent Service does not start automatically from an unattended installation. 
This syntax is required. 


WRAPPED_ARGUMENTS="/VERYSILENT /ip=server_address /port=20001 /secret=supersecretfromconfigjson" 


Command Prompt Code Example 


msiexec /i "location_to_msi" /qn /norestart WRAPPED_ARGUMENTS="/VERYSILENT /ip=server_address 
/port=20001 /secret=supersecretfromconfigjson” 


net start "Endpoint Agent" 


PowerShell Code Example #1 


This example is for a silent install with Wrapped Arguments hard coded, followed by starting the 
Endpoint Agent Service. 


$localfile = "location_to_msi" 
$servicename = "Endpoint Agent" 
$MSTArguments = @( 
"Ji" 
('"{0}"' -f $localfile) 
"Jgn" 
"/norestart" 
'WRAPPED_ARGUMENTS="/VERYSILENT /ip=server_address /port=20001 /secret=supersecretfromconfigjson"' 
) 
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow 


Start-Service $servicename 
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PowerShell Code Example #2 


This example is for a silent install with Wrapped Arguments parsed from config.json, followed by 
starting the Endpoint Agent Service. 


$localfile = “location_to_msi" 
$servicename = "Endpoint Agent" 


$configparsejson = "location_to_config.json | ConvertFrom-Json 


$ip = $configparsejson.RemoteServerHostname 
$port = $configparsejson.AuthServicePort 
$secret = $configparsejson.SharedSecret 


$wrapped = (‘WRAPPED _ARGUMENTS="/VERYSILENT /ip={@} /port={1} /secret={2}"' -f $ip, $port, $secret) 


$MSTArguments = @( 
"ji" 
('"{0}"' -f $localfile) 
"/qn" 
"/norestart" 


"$wrapped" 


Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow 


Start-Service $servicename 
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Administrator Tasks 


These topics describe tasks that administrators complete to deploy Endpoint Inspector and also 
in the course of normal operations. 


e Managing Licenses 

e Managing Settings 

e Manage Users 

e Manage Agents and Groups 


e See Event Log 
e Review the Home Page 


Managing Licenses 


Administrators can complete these tasks on the Licenses page in the Endpoint server web 
interface. 


e Update the Endpoint Server License 
e Adda Mobile Collection License 


Update the Endpoint Server License 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Licenses. 
The Licenses page appears. 


Endpoint inspector 
License 
Server License 
Demo Env 


2021-10-13 16:52:15 (UTC) (in 22 days) 
1000 


Max C sere 
Mobile License 


Expiration Date Total Jobs Jobs Remaining 


2021-1013 16:5231 (UTC) 1000 996 


ENTERPRISE z 
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3. Under Server License, click UPDATE SERVER LICENSE. 
The Update License page appears. 


Update License 


Æ WARNING: In order to use the new license, the server needs to be restarted 


CANCEL 


4. Paste the license into the text box and then click UPDATE 
5. Restart the Endpoint server. 


For more information, see Restart the Endpoint Server. 


Add a Mobile Collection License 


On the License page in the Endpoint server, you can add a mobile collection license. You can also 
see information about an existing license for mobile collections. 


T 


2. Click License. 


The License page appears. 


F Endpoint Inspector 


License 


Server License 


istered Te 


Mobile License 


Expiration Date 


Log in to the web interface for your Endpoint server with administrative credentials. 


Demo Env 
2021-10-13 16:52:15 (UTC) (in 22 days) 
1000 


UPDATE SERVER LICENSE 


Total Jods Jobs Remaining 


3 16:5231 (UTC) 1000 


SERAS 


3. Choose any of these actions under Mobile License. 
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Add a mobile collection 
license. 


Review license information 


Click Add Mobile License and then paste the license key into 
the Add Mobile License dialog box. 


Review this information: 


e the quantity of collection jobs remaining in the pool. 
e the date when the license expires. 
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Managing Settings 


Administrators can complete these tasks on the Settings page in the Endpoint server web 
interface. 


e Update Ports and Server Address 

e Restart the Endpoint Server 

e Create and Export an Agent Configuration File 

e Update the Mobile Agent 

e Set the Default Destination for Mobile Data Collections 


Update Ports and Server Address 


Before you begin, you should understand the information in the Default Server Ports topic. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Settings. 
The Settings page appears. 


“Endpoint Inspector 


Settings 


Server Ports 


CANCEL 


Mobile Remote Agent 
N@-14 191040 AUTE 


3. Under Server Ports, update values in any of these fields as necessary. 


e Web Configuration Port 

e Agent Communication Port 
e Authentication Port 

e Server Address 


4. Click UPDATE. 
5. Restart the Endpoint server. 
For more information, see Restart the Endpoint Server. 
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Restart the Endpoint Server 


You must restart the Endpoint server after you complete either of these tasks. 


e Update the Endpoint Server License 
e Update Ports and Server Address 


There may be other occasions when it is necessary to restart the Endpoint server. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Settings. 
The Settings page appears. 


J Endpoint inspector 


Settings 


Server Ports 


CANCEL 


Mobile Remote Agent 


3. Scroll down to Admin and then click RESTART SERVER. 


Create and Export an Agent Configuration File 


This file (or the information in it) is required to configure Endpoint agents for remote computer 
collection. 


Before you complete this task, verify that information on the Settings page under Server Ports is 
accurate. For more information, see Update Ports and Server Address. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Settings. 


The Settings page appears. 


J Endpoint Inspector 


Settings 


Server Ports 


CANCEL 


Mobile Remote Agent 


3. Scroll down to Client Configuration and then click CREATE AGENT CONFIG. 
4. Save the resulting config.json file for distribution along with the installation files for the 
Endpoint agents. 
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Update the Mobile Agent 


On the Settings page in the Endpoint server, you can see which version of the Endpoint mobile 
agent is in use and update to a new version of the mobile agent. You can get the most recent 
version from your account in the MyCellebrite portal. 


This ensures that the newest version of the mobile agent is always used. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Settings. 
The Settings page appears. 


Y Endpoint inspector 


Settings 


Server Ports 


CANCEL 


Mobile Remote Agent 


UPDATE AGENT 


Mobile Agent Settings 


red Folder ® SFTP 


Client Configuration 


CREATE AGENT CONFIG 


3. Under Mobile Remote Agent, review the Version and Last updated information to see which 
version is in use. 

4. To get the most recent version of the Endpoint mobile agent, click UPDATE AGENT. 
The most recent version of the Endpoint mobile agent is downloaded to the computer in the 
destination you specify. 

5. On the computer used as the Endpoint server, use File Explorer to browse to the downloaded 
Endpoint mobile agent and then open it. 
The mobile agent is uploaded to the Endpoint server. 
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Set the Default Destination for Mobile Data Collections 


You can specify the default destination where mobile data collections will be saved. This should 
be a network location that is available to all custodians’ computers. UNC and SFTP shares are 
Supported. 


For any individual collection job where the default destination is not appropriate, an examiner 
can specify an alternative destination. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Settings. 


The Settings page appears. 


Endpoint inspector 


Settings 


Server Ports 


CANCEL 


Mobile Remote Agent 


Mobile Agent Settings 


Client Configuration 


Admin 


ENTERPRISE 


3. Under Mobile Agent Settings, choose the appropriate option and provide the required 


information. 
Local Shared Folder In Collection Output Path, type the file path for the network 
location for storing mobile data collections. 
SFTP Type the appropriate values in these fields. 


e Server Address 
e Server Port 

e Path 

e Username 

e Password 


4. Click UPDATE. 
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Manage Users 


Administrators can complete these tasks on the Users page In the Endpoint server web 
interface. 


e Create users. 

e Sort and filter the list of users. 

e Delete users. You cannot delete yourself as a user. 

e Update a user's password. 

e Update a user’s assigned roles. A user may have both or either the Administrator or Analyst 
roles assigned. 
o Users with only the Administrator role cannot have agents assigned. 
o Users with only the Analyst role cannot complete administrative tasks. 

e Fora user with the analyst role, assign or remove agents and groups of agents. 


1. Log in to the web interface for your Endpoint server with administrative credentials 
2. Click Users. 
The Users page appears. 


J Endpoint Inspector 


ENTERPRISE 
SOLUTIONS 


3. Choose any of these actions. 


Create a user 1. Click CREATE. 

2. Type the username and password. 
Usernames are not required to be email addresses. 
These characters are valid. 


e upper and lower-case letters 
e numerals 0-9 
e (da, dash, underbar, low dot 


3. Assign either or both the Administrator and Analyst role. 
4. Click CREATE. 


Sort the list Click a column label to toggle between ascending and 
descending order. 
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Filter the list 


Type anything in the Search box. 
The list of users is filtered on all columns based on what you 
typed. 


Filter by column 


Click El (column filter) at the top of any column that has it, 
and then select the appropriate value. The list shows only 
those users that match. 


Change a user's password 
or role 


Find the appropriate user and then in the Actions column 
click ... (ellipsis) > Edit Profile. 


e Change the password and then click UPDATE PASSWORD. 
e Change the assigned roles and then click UPDATE ROLES. 


Copy text from a field 


Right-click on the field you want to copy and then click Copy 
Text. 


The text from that field is copied to your clipboard. 


Assign agents to a user 


1. Find the appropriate user and then in the Actions column 
click ... (ellipsis) > Assign Agents. 
The Assign Agents page appears. 


©) Endpoint Inspector 


Assign Agents 


Agents available for Heidi 


| 


eup (2 Soars) 


9 0 


o Hostname Ps 


v 


Agent Version Notes 
"E ff 
oer 
Derr 
O testGroup (4 agents) 


ENTERPRISE 
SOLUTIONS 


2. Expand or collapse groups of agents, mark or unmark 
the checkboxes for the appropriate agent groups or 
individual agents, and then click APPLY. 


Delete a user 


Find the appropriate user and then in the Actions column 
click ... (ellipsis) > Delete. 


You cannot delete yourself as a user. 
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Manage Agents and Groups 


An Endpoint agent is created when it first connects successfully to the Endpoint server. 
Administrators can perform these tasks on the Agents page to manage agents and groups of 
agents. 


e See the status of agents bound to this server for Endpoint Inspector. 

e Search for agents and filter the list of agents. This filter is not case sensitive. 

e Make anote for any agent. We recommend entering information to identify the person using 
this remote computer. This makes it easier for an examiner using Endpoint Inspector to 
choose Endpoint agents to connect to and collect files from. 

e Create groups to more easily manage large amounts of agents and make it easier to assign 
agents to examiners. You can create groups In any way that makes sense for your 
organization. For example, you could group agents based on geography, such as Eastern, 
Central, and Western. Or you might group agents based on the platforms of the associated 
computers, or the departments those computers are in, such as Finance, Marketing, 
Executive, and so on. 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Agents. 
The Agents page appears. 


Endpoint Inspector 


Agents 


Groups CIE e 


. 
. 
e’ 
e> 
ee 
Je 
3e 


ENTERPRISE 
SOLUTIONS 


There are two default groups, All and Unassigned. All agents are always members of the All 
group. 
3. Choose any of these actions. 


Sort the list of agents Click a column label to toggle between ascending and 
descending order. 


Filter the list Type anything in the Filter Groups or Filter Agents box. 


Copy from a field in the list | Right-click on the field you want to copy and then click 
Copy Text. 
The text from that field is copied to your clipboard. 


Make a note for an agent Find the appropriate agent and type in the Notes column. 
Delete an agent Mark the checkbox for the appropriate agent and then click 
DELETE. 
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Create a group of agents |1, Click CREATE GROUP. 

2. Type the name of the group and any notes about the 
group. 

3. Assign appropriate agents to the group. 

4. Click CREATE. 


Move agents to a group Select the appropriate agents and then click MOVE TO 
GROUP. 
Filter the list of groups Type anything in the Search box under CREATE GROUP. 


The list of groups is filtered based on what you typed. 


See, edit, or delete a group | Select the group, click the * [vertical ellipsis] and then 
click EDIT. 

If you delete a group that has agents assigned, those 
agents become members of the Unassigned group. 


see the Event Log 


On the Events page, administrators can export the event log to a .csv file. You may also clear 
events from the log. 


These are some of the types of events you may See in the log. 


e Examiners’ attempts to log in to Endpoint Inspector (both successful and failed] 
e Examiner access to Endpoint agents 
e Mobile collection job events 


1. Log in to the web interface for your Endpoint server with administrative credentials. 
2. Click Events. 
The Events page appears. 


Endpoint inspector 


?1@e ORD |: 


agent acce: 
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3. Choose any of these actions. 


Sort the list of events Click a column label to toggle between ascending and 
descending order. 


Filter the list of events Type anything in the Search box. 
The list of events is filtered on all columns (except for 
Event Time and Job ID) based on what you type. 


Copy from a field in the list | Right-click on the field you want to copy and then click 
Copy Text. 
The text from that field is copied to your clipboard. 


Export the list of events Click EXPORT. 

The list of events is saved according to the default settings 
for your web browser with the filename in this format: 
endpoint_inspector_events_YYYY-MM-DDT_HH_MM_SS- 
timezone.csv. 


Clear the list of events Click CLEAR. 
All events are removed from the log. 
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Review the Home Page 


The Home page of the web interface for the Endpoint server shows a dashboard of status and 
activity information for agents and users associated with this server. 


When you log in to the server or when you click Home, the Home page appears. 


The Home page is refreshed every 30 seconds. 


Endpoint Inspector 


Total Agents: 7 Total Users: 4 Current User 


rently Recently Not Both Admerestrator & Analyst 
© active: 7 active ® active: 0 x 
@ Aun 
Q Analyst Only 


$ Onine 


- O O A 


Total Events: 20 
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Total Agents shows the number of agents this server is managing. It also shows statistics about 
agent activity. 


Total Users shows the total number of users this server is managing. It also shows statisticsabout 
users. 


Total Events shows the total number of events logged since the list of events was last cleared. It 
also shows a list of the last ten events. You can sort this list by any column in ascending or 
descending order. 
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Examiners can complete these tasks in the web interface for the Endpoint server. 


e Create a Mobile Collection Job 

e Send the Link and Activation Token to a Custodian 
e Monitor, Find, and Select Mobile Collection Jobs 
e Delete a Mobile Collection Job 

e Get the Password for a Mobile Data Collection 

e Troubleshooting 


Create a Mobile Collection Job 


A mobile collection job specifies what data to collect from a mobile agent and who the custodian 
of the mobile device is. 


1. Use a web browser to log in to the web interface for your Endpoint server. 
2. Click Mobile Collection. 
The Mobile Collection page appears. 


ENTERPRISE 
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3. Click CREATE. 
The Create new job page appears. 


Create new job 


Custodian name * Custodian email * 


nsert first & last name 


Examiner name 


examiner name 


Send collected data to * Collection output password 


ter password 


Data to collect * 


@ All Content O Selecti 


ve data types 
tth fic da 


Sele 1e specific da! 


Collection will include third party application 
data to 


O Exclude Pictures 
O Exclude Videos SELECT 
O Exclude Audio 


CANCEL 


4. Type the appropriate information in these fields. 


The full name of the custodian of the mobile device. 


Custodian name 


Custodian email The email address of the custodian. 

Examiner name The name of the person who will examine the collected 
mobile data. 

Send collected data to If the default network location is not appropriate for this 


collection, type a different destination. 


This field is optional. 


Collection output password | The password that will be required to open the mobile 
collection. 


This field is optional. 


Notes Any notes appropriate for this mobile collection job. 


5. Under Data to collect, choose the appropriate option. 
e All Content collects data from all native and third-party applications supported by 
Endpoint Inspector. You may choose to exclude pictures, videos, or audio from the 
collection. 
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e Selective data types only collects data from native applications supported by Endpoint 
Inspector. It does not include third-party applications. 
Click SELECT, choose at least one data type to collect, and then click CLOSE. These are the 
data types you may Select. 


o Select All o Calendar o Pictures 

o Advertising Identifier o Call Logs o SMS/MMS 
o Audio o Contacts o Videos 

o Browser Data o Instant Messaging 


6. Click CREATE. 

7. On the Mobile collection job created page, you can copy the activation token and the 
download link and paste them into the message the examiner will send to the custodian of 
the IOS device. 


Send the Link and Activation Token to a Custodian 


For each collection job, the examiner must provide the link and the activation token to the 
custodian, who uses these to start collection from the device in their custody. If you did not 
obtain the activation token and download link when the collection job was created, you can get 
them later. 


1. Begin composing your message to the custodian. 
2. Use aweb browser to log in to the web interface for your Endpoint server. 
3. Click Mobile Collection. 

The Mobile collection page appears. 
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4. Above the list of agents, copy the link from where the mobile remote agent can be 
downloaded and paste it into your message to the custodian. 

5. Find the appropriate collection job in the list, and then in the Actions column click ... (ellipsis) 
> Get Token. 
The activation token is copied to your clipboard. 

6. Paste the activation token into your message to the custodian. 

7. Send the message to the custodian. 
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Monitor, Find, and Select Mobile Collection Jobs 


Examiners can monitor the status 


of mobile collection jobs on the Mobile Collection page, which 


shows a list of all mobile collection jobs. You can see the status and details of each job as well as 
any status message. The status refreshes every 60 seconds. 


1. Use a web browser to log in to 
2. Click Mobile Collection. 


The Mobile Collection page appears. 


Mobile Cotection 


3. Choose the appropriate action. 


Action 


Sort by any column 


the web interface for your Endpoint server. 


Steps | 


Click a column label to toggle between ascending and 
descending order. 


Show mobile collection 
jobs with a specific status 


Click E (column filter) at the top of the Status column and 
then select the appropriate status. 


Filter the list 


Type the appropriate information in the Search box. 
The list shows only mobile collection jobs that contain what 
you typed. 


Copy from a field in the list 


Right-click on the field you want to copy and then click Copy 
Text. 
The text from that field is copied to your clipboard. 


Select a mobile collection 
job 


Mark the checkbox to the left of the Job ID number. 


Select all mobile collection 
jobs 


Mark the checkbox to the left of the Job ID column title. 
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Delete a Mobile Collection Job 


Examiners can delete a mobile collection job on the Mobile Collection page. 


Deleting a collection job with a status of either Created or Extraction Failed returns it to the pool 
of available jobs. While you may delete mobile collection jobs with a different status, those jobs 
are consumed. Therefore, deleting them does not return them to the pool of available jobs. 


Deleting a mobile collection job does not delete its stored data collection. Data collections 
related to deleted mobile collection jobs remain where they are stored until you manually move 
or delete them. 
1. Use a web browser to log in to the web interface for your Endpoint server. 
2. Click Mobile Collection. 

The Mobile Collection page appears. 


Endpoint inspector 
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3. Select the appropriate mobile collection job and then click DELETE. 
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Get the Password for a Mobile Data Collection 


Examiners can create a password for each collection job they create. If a password is created, it 
is required to open the collected data for examination. If you cannot recall the password for a 
collection job, you can see It on the Mobile Collection page. 


1. Use a web browser to log in to the web interface for your Endpoint server. 
2. Click Mobile Collection. 
The Mobile Collection page appears. 


Endpoint inspector 
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3. Find the appropriate collection job and then in the Actions column click ... (ellipsis) > Get 
Password. 
The password is copied to your clipboard. 


Troubleshooting 


You may find this information helpful if you need to troubleshoot issues with mobile remote 
collections in Endpoint Inspector 


e Closing Web Browser During Collection 
e Log Files 

o Encrypted Session Log File 

o Other Log Files 


Closing Web Browser During Collection 


If the web browser on the custodian’s computer is closed for more than 60 seconds during any 
part of the collection process, the mobile agent closes itself. The custodian must start the 
collection job again. 


Log Files 


Log files for mobile remote collection jobs are useful when you troubleshoot issues encountered 
by the custodian, such as the Endpoint mobile agent failing to run, to extract data, or to transmit 
the collected data. You can ask a custodian to send you any log files saved by the mobile agent 
on their computer. 
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Encrypted Session Log File 


You should send the encrypted session log file to Cellebrite for investigation. The mobile agent 
automatically saves encrypted logs for each session in this folder: 


%temp%\.Endpoint./nspector.Extraction.Logs\<APP_START_TIME> 


where %temp% is a windows shortcut to a temporary folder for the current user and 
<APP_START_TIME> is a folder with a name based on the time the mobile agent started in YYYY- 
MM-DD_HH-MM-SS format, for example: 


C:\Users\<USER_NAME>\AppData\Local\Temp\.Endpoint. Inspector. Extraction.Logs\2021-08-12_14- 
01-36 


Other Log Files 


You can open these log files in any text editor, such as Notepad or TextEdit. 


If there are problems installing the mobile agent on the custodian’s computer, you can set 
the installer for the mobile agent to save the log file by running the Installer from the 
command line with this log parameter. 


CellebriteMobileAgent_v<version number>.exe /log="LOG_FILE_PATH" 


where <version number> is the version number in the name of the installation file for the 
mobile agent and “LOG_FILE_PATH*” is the destination and file name for the log file, for 
example: 


CellebriteMobileAgent _v1.2.0.191.exe /log="C:\<FOLDER_NAME>\LOG. TXT" 
which is the full path and file name, or 

CellebriteMobileAgent _v1.2.0.191.exe /log="LOG.TXT" 

which creates the log file in the folder where the user is when they run this command. 


If the mobile agent user interface in the web browser shows something strange or does not 
respond to Interaction, you can save logs from the web browser. 


1. Press F12 and then click Console. 
2. In the workspace, right-click to open the context menu and then click Save As. 
3. Save the log file with an appropriate name in an appropriate location. 
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Custodian Task 


Custodians perform this mobile remote collection task. 


e Create and Send a Mobile Collection 


Create and Send a Mobile Collection 


The custodian of the mobile device receives a message from the examiner. This message 
provides the link from which the Endpoint mobile agent is downloaded and installed onto the 
custodian’s computer. The message also provides the activation token required to start 
collecting data. 


Mobile remote collection is supported only for iOS devices. 


Note: You must restart your computer after you install the Endpoint mobile agent. You must also 
have an appropriate USB cable to connect your mobile device to your computer when you are 
directed to do so. 


1. On your computer, open the message and then click the link to download the installer for 
Cellebrite.Mobile.Agent. 

2. Run the Cellebrite.Mobile.Agent installer and restart your computer. 

3. Run the Cellebrite Endpoint Inspector mobile agent. 
The Welcome to Endpoint Inspector page appears in your web browser. 


Welcome to Endpoint Inspector 


Enter the activation code you received to start the collection process 


A) ENDPOINT | y1.0.0.101 


©) INSPECTOR 


4. Paste the activation code from the message and then click ACTIVATE. 

5. Follow the instructions provided in your web browser to connect your mobile device to your 
computer with an appropriate USB cable and disable automatic locking on your device. 
You may be required to provide a password for the device. 

If backup encryption is enabled, provide that password when you are directed to do so. 

6. Follow the remaining instructions to collect the data and review the estimated time for the 
data collection to complete. 

The data collection is saved to your computer in the form of a single file. 

7. When prompted on the Summary page, disconnect your mobile device from your computer 
and then click NEXT. 
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The data collection file is copied from your computer to the location specified by the 
examiner and then it is deleted from your computer. If your network connection is disrupted, 
transmission resumes automatically when the connection is reestablished. 
If the data collection file cannot be sent to the destination specified by the examiner, this 
message appears: Error sending data. 

a. To save the collection file to your computer, click SAVE IN DIFFERENT LOCATION. 

b. Ask the examiner for instructions to manually send the collection file. 
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